A new survey from Cybersecurity Insiders and Securonix, the results of which can be found in the "2019 Insider Threat Report", reveals the latest security challenges posed by business insiders. No great surprise there then. The findings related to the cloud, however, are perhaps a little more surprising. It’s been long since we moved on from the whole "is the cloud safe to use?" debate. So SC Media UK posed these questions to the infosec professional community: what has business exposed itself to, and what does it need to do about it?
Before we move to the answers to those questions, let's first take a look at what the Securonix report reveals as far as the insider threat and the cloud are concerned.
Close to 40 percent of cybersecurity professionals have identified cloud storage and file sharing apps as being the most vulnerable to insider attacks. More than half of the respondents said that since migrating to the cloud, it has become either 'somewhat to significantly' more difficult to detect those insider attacks. To complete this triumvirate of cloud-related statistics, a mere 40 percent of those surveyed, despite the aforementioned risks, could confirm their organisations actually monitored user behaviour across the cloud footprint.
Given that 21 percent of organisations had also experienced at least five insider attacks during the previous 12 months, the concern becomes particularly palpable. "The benefits of moving to the cloud are obvious," said Shareth Ben, executive director - field engineering at Securonix. "But along with that comes an increased need for security."
Agrees Nitin Agale, SVP of products at Securonix. "The cloud transformation journey is here. The question for businesses is not whether they will move, it is when they will move to the cloud," he told SC Media UK. This brings us to two questions for the broader infosecurity industry: what has business exposed itself to, and what does it need to do about it?
"ISACA research shows that 70 percent of risk management professionals (84 percent of UK based professionals) believed cloud has increased the level of threats and vulnerabilities within their organisations," said ISACA’s board chairman Brennan P Baybeck.
To put that in some perspective, the next highest was IoT on a comparatively low 34 percent. "With cloud," Baybeck continues, "we see an increased acknowledgement that it presents significant challenges to enterprises, and with that knowledge should come an associated improvement in risk management and mitigation practice."
What this means is having the right policies and processes in place, with employee buy-in and compliance, says Neville Armstrong, service strategist at managed cloud and IT infrastructure company Fordway. "The majority of security problems arise when people upload data without thinking of the implications or take data outside the organisation, neither of which are cloud-related issues," Armstrong told SC Media UK.
Not that everyone is buying the ‘insider risk is greater in the cloud’ argument. Take Yossi Naar, co-founder and chief visionary officer at Cybereason. "It might be viewed as an easier method to leak data, but the reality is that insider threats are very difficult to determine unless a user attempts to go beyond their regular day to day work," he told SC Media UK.
"Accessing cloud resources outside of working hours and the workplace itself can sometimes make them easier to find," he argues.
He also rejected the notion that cloud apps are unsafe. "They are typically much more secure than any local internal implementation. The issues tend to arise when trying to monitor certain services or adding enterprise-level controls as you are usually limited by whatever the service itself provides."
Ivan Blesa, head of product at Noble, seem to agree. "The biggest IaaS providers, such as Amazon, Microsoft, and Google, provide all necessary tools to keep enterprise data completely private and secure while running services at scale," Blesa says.
While arguing that almost any IT professional will be able to use their services, Blesa admits that doing so safely requires an understanding of what that specific vendor provides, and utilising it effectively. "A failure to do can easily result in a newly deployed cloud service being completely exposed to attackers," he warns.
Much of this comes down to understanding one thing above all else: where the responsibility for data security rests.
"There has always been confusion around who is responsible for security in the cloud," says Saryu Nayyar, CEO of Gurucul. "Many organisations have been guilty of relinquishing responsibility over cloud security, believing that since cloud services are provided by an external party, that party should be responsible for security."
This is a serious security error, Nayyar concludes, because organisations must treat their cloud systems in the same way they treat their internal IT infrastructure: "regardless of where your data resides," Nayyar says, "it’s fundamentally your responsibility to ensure that the data is secure."
Securonix's Nitin Agale concludes the trail of thoughts on the issue, stating that security exposure in the cloud needs to be thought about in terms of three key components.
1. Visibility: Do you have visibility into what data is sitting in the cloud and where?
2. Access control: Are you actively managing who has access to data and how well is your data secured?
3. Monitoring: Do you have monitoring controls to detect threats from insiders or outsiders to your environment?
"The security in the cloud can be more complex that on-premise because you are relying on your IaaS/PaaS/SaaS vendors to some extent to secure your data," Agale says, "it is critical to review those SLAs and contracts to ensure you have the right level of protection."